After spending years acquiring a number of cybersecurity vendors and building up its product portfolio, IBM Security is now turning its focus to incident response services. Executives from the IBM Security business unit, which was formally created in 2015, spoke with journalists at the company’s Think 2018 conference.

“In security, we always talk about prevention, detection and response,” said Marc van Zadelhoff, general manager of IBM Security. “We have invested a lot — as have our customers — in prevention and detection. Now, we’ve really started to focus a ton on response.”

Van Zadelhoff said IBM has made around 20 acquisitions in the security space over the years, and the current product lineup includes 14 different software product categories, from endpoint security and threat intelligence services to identity and access management products. While those products have addressed prevention and detection needs, van Zadelhoff said many customers still struggle with proper incident response.

As a result, IBM Security began turning more attention to its security testing and incident response services, which van Zadelhoff said are driving the unit’s net-new growth. Those offerings include IBM X-Force Incident Response and Intelligence Services and IBM X-Force Red security testing services, along with consulting for clients’ security operations centers (SOC).

Marc van Zadelhoff

John Wheeler, vice president of strategy for IBM Security services, said he’s recently noticed more customers recognizing the need to either build their own SOCs or outsource them, because “the corner of the room in the NOC [network operations center] is not the same as a SOC.”

In addition to those incident response services, IBM Security develops incident response playbooks for clients for, as van Zadelhoff said, “when the [vulgarity] hits the fan.” The customized response plans are designed to meet the needs of individual clients based on their size, industry, geographic location and risk profile, among other factors.

IBM Security supplements those playbooks with its Cyber Range, a physical simulator for security incidents that was unveiled in 2016. Located in Cambridge, Mass., the Cyber Range allows customers to play out scenarios of cyberattacks and data breaches on a fictitious company with live actors. The simulations include not just technical aspects of a breach, but media, regulatory compliance and legal aspects, as well.

“Essentially, we explode a company once or twice a day based on whatever malware we bring in, and we have customers go through what it’s like to experience a breach,” van Zadelhoff said. “We have a journalist show up asking for comment on the breach. We have lawyers, we have auditors and we have board members from the company.”

Wheeler said even when organizations have an academic understanding of incident response, their ability to execute those plans under the pressure of an attack or breach is often lacking. Getting multiple Type-A personalities to work together in a tense environment can be an enormous challenge, he said. “I’ve seen very large companies with big security budgets come into the Cyber Range and be humbled very quickly,” Wheeler said.

You can tell the clients that have done scenario-based exercises and the ones that haven’t based on the level of dysfunction in that room.Charles Hendersonglobal managing partner for IBM X-Force Red

Charles Henderson, global managing partner for IBM X-Force Red, the company’s red teaming service, said part of the problem for many organizations is there can be too many cooks in the kitchen when a breach occurs.

“All-star teams rarely play well together. It’s sort of the dream-team problem. You put people that are incredibly good in their field in a room together, and everyone tries to take point,” Henderson said. “You can tell the clients that have done scenario-based exercises and the ones that haven’t based on the level of dysfunction in that room.”

Those types of situations may require additional guidance and support from IBM personnel on the ground, and that’s something van Zadelhoff said is becoming more common with the company’s focus on incident response services. Some customers, he said, may have 25 to 30 IBM consultants on the ground running their SOCs.

The opportunity to bring incident response services and “SOC science,” as Wheeler called it, could be considerable; during his IBM Think keynote, van Zadelhoff said companies continue to struggle with basic, foundational elements of proper infosec hygiene — most notably incident response. “A shocking 77% of organizations do not have a proper response plan,” he said. “In 2018, that is truly unacceptable.”